From 943961cca233107f2e385faac9b8fc1969681c1d Mon Sep 17 00:00:00 2001 From: Daniel Tartavel Date: Mon, 26 Sep 2022 11:54:58 +0200 Subject: [PATCH] added protection on insert in database --- gestion/saisieCandidats.php | 4 ++-- gestion/saisieVotation.php | 2 +- gestion/saisieVotes.php | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/gestion/saisieCandidats.php b/gestion/saisieCandidats.php index 0dda1f3..88316ab 100644 --- a/gestion/saisieCandidats.php +++ b/gestion/saisieCandidats.php @@ -12,9 +12,9 @@ $idVote = getpost("idVote"); $candidat = getpost("candidat"); $libelle = getpost("libelle"); -if (!empty($idCandidat)) +if (!empty($candidat)) { - $query = "INSERT INTO liste_candidats VALUES (0, " . $idVotation . ", " . $idVote . ",'" . $libelle . "', '". $candidat . "')"; + $query = "INSERT INTO liste_candidats VALUES (0, " . $db->protect($idVotation) . ", " . $db->protect($idVote) . ",'" . $db->protect($libelle) . "', '". $db->protect($candidat) . "')"; $db->query($query); header("Location: " . $$base_url . "/" . $path , TRUE, 301); return; diff --git a/gestion/saisieVotation.php b/gestion/saisieVotation.php index 4c3bab8..8c5028e 100644 --- a/gestion/saisieVotation.php +++ b/gestion/saisieVotation.php @@ -24,7 +24,7 @@ $dateFin = getpost("dateFin"); if ($titre !== null and $libelle!== null and $dateDebut!== null and $dateFin !== null) { $db = new db(); - $query = "INSERT INTO liste_votations VALUES(0, '" . $titre . "', '" . $libelle . "', '0', '" . $dateDebut . "', '" . $dateFin . "')"; // clotûre + $query = "INSERT INTO liste_votations VALUES(0, '" . $db->protect($titre) . "', '" . $db->protect($libelle) . "', '0', '" . $db->protect($dateDebut) . "', '" . $db->protect($dateFin) . "')"; // clotûre $db->query($query); $db->close(); // TODO retour à l'index diff --git a/gestion/saisieVotes.php b/gestion/saisieVotes.php index 6435451..ad1c352 100644 --- a/gestion/saisieVotes.php +++ b/gestion/saisieVotes.php @@ -16,7 +16,7 @@ if (!empty($idVotation)) { if (!empty($method) and !empty($libelle)) { - $query = "INSERT INTO liste_votes VALUES (0, '" . $libelle . "', " . $method . "," . $idVotation . ")"; + $query = "INSERT INTO liste_votes VALUES (0, '" . $db->protect($libelle) . "', " . $db->protect($method) . "," . $db->protect($idVotation) . ")"; $db->query($query); header("Location: " . $$base_url . "/" . $path , TRUE, 301); return;